[josm-dev] shocking - unsecure password sending!
frederik at remote.org
Wed Oct 7 00:50:56 BST 2009
Karl Guggisberg wrote:
> I think that people would be disappointed if one explained them how OAuth would work from JOSM.
> My understanding is, that it would work along the following steps:
Probably right although I'm sure a way can be found to save the user
from having to cut+paste the token.
> The request token can be saved in the JOSM-profile (agreed, that this avoids having userid/password
> unencrypted in the profile) and it will be used to get another access token the next time JOSM
> is started, but using OAuth doesn't protect us from sending uid/password in cleartext over the net.
The difference is that since the token is valid forever, the unencrypted
transfer of username and password will take place only once, and not
with every request. (Requests would still contain the unencrypted token
which would allow others to make edits in your name though.)
But as I said before, I don't currently consider OSM accounts to be a
valuable asset. I have many of them and should one be compromised then
I'll create another. Any account created anonymously from the web page
has the same privileges as my account so why should a hacker bother to
hijack my account when he can just sign up for one? Thus I think the
whole security question is more a kind of knee-jerk security paranoia
thing than a real concern. (And anyone who cares so little about
security that he uses the same password for OSM that he uses elsewhere
does not really deserve that we make an effort to protect his data, does
This would however change if OSM accounts had special privileges. If my
account could to things that yours cannot then that might make a difference.
Frederik Ramm ## eMail frederik at remote.org ## N49°00'09" E008°23'33"
More information about the josm-dev